RedHat: RHSA-2021-2053:01 Important: Red Hat OpenShift GitOps secur...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update
Advisory ID:       RHSA-2021:2053-01
Product:           Red Hat OpenShift GitOps
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:2053
Issue date:        2021-05-19
Keywords:          openshift, gitops, cicd
CVE Names:         CVE-2020-15586 CVE-2020-16845 CVE-2020-25648 
                   CVE-2020-25692 CVE-2020-28362 CVE-2021-3114 
                   CVE-2021-3557 CVE-2021-20305 CVE-2021-25215 
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.1.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous
deployment for cloud native applications.

Security Fix(es):

* argocd: ServiceAccount argocd-argocd-server is able to read all resources
of the whole cluster (CVE-2021-3557)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1961929 - CVE-2021-3557 argocd: ServiceAccount argocd-argocd-server is able to read all resources of the whole cluster

5. JIRA issues fixed (https://issues.jboss.org/):

GITOPS-951 - Remove operator dependency on OpenShift Pipelines

6. References:

https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/cve/CVE-2020-25648
https://access.redhat.com/security/cve/CVE-2020-25692
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/cve/CVE-2021-3114
https://access.redhat.com/security/cve/CVE-2021-3557
https://access.redhat.com/security/cve/CVE-2021-20305
https://access.redhat.com/security/cve/CVE-2021-25215
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYKVGAtzjgjWX9erEAQj6+BAAkaYNiHoPtc2FfBn1/CP0ZXwiVO1g6NVv
t9mTAvkcMilaWLXF3ZSDKYlEzWXozkFKqFSOAuDJobzUG1WgjGOC6dBNzpgCNeXf
+QRxkbSjethvC/HUZUNiOrrNhsX6CbuOzrfyngG5OK4RqqNFqN5YlAgusfuZjwGP
GA3ic6t5ZHX5Y4nOXZ1M3J6QQQ9RLy5hldriRqCSmSbTKzAQna6Bw+bpEzc21RG/
u7tvZ2/WflkfUKrVyJmm14ZIVGPQu1ZJaXDoVPm6S8Gcr0azX6RZek67xa5lpHGN
18bPx7XcRX9R/2P1slx5XREzHiTZDDiNFa0sVHywOrj37/6JjLJn63kvM/sImC1b
85XCZLw6IqQRTg/Nu9ztosZafcRL8UZ9zmVagnpj2t+k3+PrXdL5jujWAfM+niAK
oE+KBuVidqXWY8YdcNuZQ/iDW5vqsl5yguvJTETurjrlwPv7dXc0DNR8FFGIeOi3
50aCRBvzLbKgQe94CMjhEgi8Uh7aOezdF+p6MluDpc1f7c2vSgqkWKW2QWlAPQd6
KIWuEOl8TAqi81/klKIH9SHoGUrF1nqzfnXSrafQNQgJL6wItx2JDfoKIb7AbCJV
hVNpAO1KAtgS4j+07SLcS5hsRoDg5y/r+3d0bc7Rkmuh0yGakGpxTV+KBwNuRkTn
YmywC78GzRE=
=8SiK
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-2053:01 Important: Red Hat OpenShift GitOps security

An update is now available for Red Hat OpenShift GitOps 1.1

Summary

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: ServiceAccount argocd-argocd-server is able to read all resources of the whole cluster (CVE-2021-3557)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-15586 https://access.redhat.com/security/cve/CVE-2020-16845 https://access.redhat.com/security/cve/CVE-2020-25648 https://access.redhat.com/security/cve/CVE-2020-25692 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/cve/CVE-2021-3114 https://access.redhat.com/security/cve/CVE-2021-3557 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/cve/CVE-2021-25215 https://access.redhat.com/security/updates/classification/#important

Package List

Severity
Advisory ID: RHSA-2021:2053-01
Product: Red Hat OpenShift GitOps
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2053
Issued Date: : 2021-05-19
Keywords: openshift, gitops, cicd
CVE Names: CVE-2020-15586 CVE-2020-16845 CVE-2020-25648 CVE-2020-25692 CVE-2020-28362 CVE-2021-3114 CVE-2021-3557 CVE-2021-20305 CVE-2021-25215

Topic

An update is now available for Red Hat OpenShift GitOps 1.1.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1961929 - CVE-2021-3557 argocd: ServiceAccount argocd-argocd-server is able to read all resources of the whole cluster

5. JIRA issues fixed (https://issues.jboss.org/):

GITOPS-951 - Remove operator dependency on OpenShift Pipelines

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.